Posts

During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website.

Taking a Look at the .htaccess Injector Code

Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files:

Share this:

Like this:

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics.

Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator dashboard.

Timeline

2019/05/16: Initial disclosure

2019/05/20: Patch released (4.8.1)

2019/05/21: Blog post released

Details

This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Share this:

Like this:

W97M/Downloader is part of a large banking malware operation that peaked in March 2016. Bad actors have been distributing this campaign for well over a year, which serves as a doorway to Vawtrak and Dridex banking trojans. This malware campaign targets a wide array of users via their operating system and browser to deliver the appropriate payload.

Share this:

Like this:

We welcome SecureAge APEX scanner to VirusTotal. In the words of the company:

“SecureAge APEX is an anti-malware scanning engine powered by artificial intelligence, designed to extend the detection capabilities of the SecureAge SecureAPlus endpoint protection platform (EPP). The APEX engine provides next-generation endpoint detection as part of the SecureAPlus layered approach to security which includes Application Control & Application Whitelisting, multi-cloud anti-virus, fileless attack protection and more. To deal with advanced threats like zero-day malware, the APEX engine goes beyond traditional scanners by reliably identifying unseen and mutated malware types and variants from day one of their release. The APEX engine that runs in VirusTotal targets Windows PE files; with integration into the VirusTotal ecosystem, SecureAge looks forward to further enhancing APEX’s capabilities, and above that, adding value to VirusTotal’s cybersecurity services.”

Share this:

Like this:

The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.

All of our clients behind our website firewall are already protected, and are not at risk.

The three vulnerabilities have the following DREAD score:

Arbitrary file read and delete: 8.4

Admin dashboard XSS: 7.4

User Profile XSS: 6.8

Disclosure / Response Timeline:

2019/05/07: Initial disclosure

2019/05/08: Partial patch released (2.0.45)

2019/05/10: Complete patch released (2.0.46)

File Leak and Delete

If an admin added a File upload or Image upload input field on one of the forms (such as on the user profile), the user can use it to download any file of the server.

Share this:

Like this:

Referral programs and affiliate marketing opportunities can be found on many web-based company sites, however, often they’re overlooked. Commonly people consider these programs as something that they, “should leave to the professionals”.

We designed our new Referral Program Guide to give clear insight into affiliate marketing for both beginners and long-term affiliates. You don’t need to be an affiliate pro. We treat every member of our program the same–whether you refer hundreds of customers per month or one per year.

Share this:

Like this:

Sucuri is partnering with GoDaddy Pro to make the internet more secure, one website professional at a time. Developers, designers, agencies, and freelancers now have an exclusive avenue to level up security knowledge and differentiate their businesses from the competition.

Yomi engine implements a multi-analysis approach able to exploit both static analysis and behavioral analysis, providing ad hoc analysis path for each kind of files. The static analysis section includes document and macro code extraction, imports, dependencies and trust chain analysis. The behavioral detection engine is weaponized to recognize suspicious actions the malware silently does, giving a powerful insight on command and control, exfiltration and lateral movement activities over the network, including encrypted channels. Each analysis is reported in an intuitive aggregated view to spot interesting patterns at a glance.

To see the full details click on the “Full report” within the behavior tab.

Interesting features

Executed commandsWithin the Yomi Hunter report, additional information on executed commands can be seen. In this case, we see obfuscated powershell commands being run.

To search other behaviour reports for the string “zgohmskxd” we can use the behavior_processes:zgohmskxd search query to find another sample with the same variable name. Check out the other search modifiers that can be used to find similar samples.

Mutexes

Within the Additional information tab, we can also find the mutexes used by the sample under analysis. behaviour:AversSucksForever

To search other sandbox behavior reports with the same string we can search

Share this:

Like this:

During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress.

Disclosure / Response Timeline:

April 30 – Initial contact attempt

May 07 – Patch is live

Are You at Risk?

This vulnerability requires some level of social engineering to be exploited.

NSFOCUS POMA, as an integral part of the NSFOCUS Threat Intelligence (NTI) system, is a cloud‐based malware analysis engine built by the NSFOCUS Security Lab. It can take various types of files and perform both static and dynamic analysis on them to detect potentially malicious behavior, and produce analytic reports in many formats (including STIX). This service can help a user to protect his environment from various threats, such as 0‐day attacks, advanced persistent threats (APTs), ransomware, botnets, cryptocurrency mining and other malware.

We are very honored and proud to bring such values to the VirusTotal users and community.

Share this:

Like this:

Attackers commonly rely on backdoors to easily gain reentry and maintain control over a website. They also use PHP functions to further deepen the level of their backdoors.

A good example of this is the shell_exec function which allows plain shell commands to be run directly through the web application, providing attackers with an increased level of control over the environment.

Backdoor in Cron

While investigating a client with repeated website infections, we came across a scenario where a cron job was being used to reinfect the site.

Share this:

Like this:

Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately.

As we’ve seen some exploit attempts occurring in the wild, we feel it is a good time to describe what the issue is.

Current State of the Vulnerability

This arbitrary file upload vulnerability was made public a few weeks ago and has recently been patched.

Share this:

Like this:

Here at Sucuri most of the malware that we deal with is on CMS platforms like:

WordPress,

Joomla,

Drupal,

Magento,

and others.

But every now and then we come across something a little different.

Blackhat SEO Infection in Typo3

Just recently, I discovered a website using the Typo3 CMS that had been infected with a blackhat SEO spam infection:

Typo3 CMS

Before I begin, according to websitesetup.org, Typo3 is currently the 8th most widely used CMS platform on the web, so I’m surprised I had never seen an infection with this software before, but it looks like over half a million websites on the web use Typo3.

Share this:

Like this:

We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts.

Share this:

Like this:

It feels like yesterday, but it has been 10 years since the domain sucuri.net was registered.

Happy 10th Birthday, Sucuri!

For us, 2009 marks the birth of the brand as it represents the day when the open-source project secured its name. The first Sucuri service was originally called NBIM (Network Based Integrity Monitoring).

Sucuri intended to be an interface for the NBIM project. It allowed anyone to monitor websites for changes in content, WHOIS & DNS.